I have an OpenWrt 10.03 router [ IP: 192.168.1.1 ], and it has a DHCP server pool: 192.168.1.0/24 - clients are using it through wireless/wired connection. Ok!

Here's the catch: I need to separate the users from each other.

How i need to do it: by IPTABLES rule [ /etc/firewall.user ]. Ok!
"Loud thinking": So i need a rule something like this [on the OpenWrt router]:

- DROP where SOURCE: 192.168.1.2-192.168.1.255 and DESTINATION is 192.168.1.2-192.168.1.255

The idea is this. Ok!

Questions!
- Will i lock out myself if i apply this firewall rule?
- Is this a secure method? [ is it easy to do this?: hello, i'm a client, and i say, my IP address is 192.168.1.1! - now it can sniff the unencrypted traffic! :( - because all the clients are in the same subnet! ]
- Are there any good methods to find/audit for duplicated IP addresses?
- Are the any good methods to find/audit for duplicated MAC addresses?
- Are there any good methods to do this IPTALBES rule on Layer2?:$ wget -q "http://downloads.openwrt.org/backfire/10.03/ar71xx/packages/" -O - | grep -i ebtables$

It makes more sense on a router which is not supposed to connect to everything.

I would advise against MAC filtering in my experience it adds no security only inconvinience. But if you want to see:

iptables -m mac --help

Logging MAC addresses could be useful but they are easily forged. Just add -j LOG or -j NFLOG before the ACCEPT rule with the same matching rules.

Since you are configuring a computer which is only accessible from the network you should be very careful not to lock yourself out. You can't just walk to it and delete the rules manually. In particular typing iptables -P INPUT DROP with an empty INPUT chain will kill your SSH session. I recommend using the iptables-save and iptables-restore and writing the rules in a config file. It also helps if you can test the rules on a computer with a keyboard and monitor before trying it on the router.

i want to separate the users form each other
–
LanceBaynesMar 5 '11 at 10:00

@user4724: So wireless user A shouldn't talk to wireless user B? That connection will not go through the router. WPA can do "wireless client separation". I have no idea how to do that on wired networks.
–
stribikaMar 5 '11 at 10:05

@user4724: You could do it in the client firewalls. Drop everything from 10.0.0.0/8 except from the router in the input and output chains. If that's acceptable I will add it to my answer.
–
stribikaMar 5 '11 at 10:16

thank you! but the main problem is: "it can sniff the unencrypted traffic" - so if a client comes that's e.g.: a mobile device, that will don't have a firewall :\
–
LanceBaynesMar 5 '11 at 10:35

"So wireless user A shouldn't talk to wireless user B? That connection will not go through the router." - Really? it cannot be done with the firewall on the OpenWrt router?? :((
–
LanceBaynesMar 5 '11 at 10:35